- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Guest VLAN, IDM, DNS
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-05-2008 11:59 AM
тАО08-05-2008 11:59 AM
Just getting started with IDM. I want to start out by configuring a guest VLAN (VLAN8) that provides internet access with no access to the internal network. My issue is that I cannot resove DNS names. To prove this I added a few entries to my test laptop hosts file and can hit the websites no poblem. I've created an access policy in IDM and the result of the RACL is listed below.
Firewall IP: 192.168.77.254/24
RACL
===================
show access-list radius d21
Radius-configured Port-based ACL for
Port D21, Client -- 0017A4D76B45
deny in ip from any to 192.168.75.0/24 cnt
Packet Hit Counter : 0
deny in ip from any to 192.168.76.0/24 cnt
Packet Hit Counter : 0
deny in ip from any to 192.168.77.0/24 cnt
Packet Hit Counter : 23
deny in ip from any to 192.168.74.0/24 cnt
Packet Hit Counter : 0
deny in ip from any to 192.168.73.0/24 cnt
Packet Hit Counter : 0
permit in udp from any to 0.0.0.0/0 53 cnt
Packet Hit Counter : 426
permit in tcp from any to 192.168.77.254/24 cnt
Packet Hit Counter : 0
permit in ip from any to 192.168.77.254/24 cnt
Packet Hit Counter : 0
permit in udp from any to 192.168.77.254/24 cnt
Packet Hit Counter : 0
permit in ip from any to 0.0.0.0/0 cnt
Packet Hit Counter : 476
Client
=========
WinXP SP3
Open1X Supplicant
IP: 192.168.78.21
NM: 255.255.255.0
GW: 192.168.78.1
DNS1: 4.2.2.1
DNS2: 4.2.2.2
Can someone show what is misconfigured?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-05-2008 12:50 PM
тАО08-05-2008 12:50 PM
Re: Guest VLAN, IDM, DNS
One piece in the RACL that might be causing an issue is the: deny in ip from any to 192.167.77.0/24.
You have this entry before the line: permit in ip from any to 192.167.77.254/24.
I would expect the deny for the 192.167.77.0 network to occur first, so the permit statement to your firewall would never be invoked.
So, you might try putting the permit statement with the specific address of your firewall before the deny statement to the 192.167.77.0/24 network.
Since your DNS servers are 4.2.2.1 and 4.2.2.2, I'm not sure this will fix the DNS problem, but that is the only deny statement I see with hit counter increments. It also looks like the last line of the ACL is a permit any any, so my guess would be the issue is somehow tied to that deny statement.
Hope that helps.
Regards,
Jarret
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2008 02:09 AM
тАО08-06-2008 02:09 AM
Re: Guest VLAN, IDM, DNS
Excellent point Jarret :)
I can see you have a Firewall,
- Moving the lines:
permit in tcp from any to 192.168.77.254/24
permit in ip from any to 192.168.77.254/24
Before :
deny in ip from any to 192.168.77.0/24
Could help,
But i'm not sure since i can;t tell whats the default route you've configured on the switch.
- Did you test the routing between the Routing Switch and the Firewall (like from Vlan8 ping the Firewall IP)
- Did you try to ping the DNS servers from the client ?
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2008 04:11 AM
тАО08-06-2008 04:11 AM
Re: Guest VLAN, IDM, DNS
show access-list radius d21
Radius-configured Port-based ACL for
Port D21, Client -- 0017A4D76B45
permit in udp from any to 4.2.2.1/32 cnt
Packet Hit Counter : 28
permit in tcp from any to 4.2.2.1/32 cnt
Packet Hit Counter : 0
deny in ip from any to 192.168.75.0/24 cnt
Packet Hit Counter : 0
deny in ip from any to 192.168.76.0/24 cnt
Packet Hit Counter : 0
deny in ip from any to 192.168.77.0/24 cnt
Packet Hit Counter : 6
deny in ip from any to 192.168.74.0/24 cnt
Packet Hit Counter : 0
deny in ip from any to 192.168.73.0/24 cnt
Packet Hit Counter : 0
permit in ip from any to 0.0.0.0/0 cnt
Packet Hit Counter : 65
I currently have a L2 setup. I have 2 5406's with a 4gb trunk between them. All gateways are on CORE1. This client is on CORE2 so the gateway for the client (192.168.78.1) resides on CORE1. I feel confident that routing is ok, because as originally stated I can manually add entries in the clients hosts file and am able to access the websites.
Any other suggestions?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2008 08:28 AM
тАО08-06-2008 08:28 AM
Re: Guest VLAN, IDM, DNS
Well, it looks like the first ACE for the permit UDP to your DNS server is getting hits, but I'm not sure why DNS would not be working at this point.
Sorry if this is re-hashing what you were discussing about adding entries in the host file, but would it be possible to either temporarily remove the ACL or just put in a first line ACE of permit any any to verify the root issue is the ACL?
From what I see in the latest data, since we are getting hit counters on the permit for the UDP to 4.2.2.1, I would expect this to work...
Maybe one other test thought: From the test clients, can we try testing DNS via an NSlookup to see if ip addresses are resolving to names and vice-versa?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2008 09:50 AM
тАО08-06-2008 09:50 AM
Re: Guest VLAN, IDM, DNS
i then changed the client to use my internal DNS servers (also Domain Controllers) and internet works. note my domain controllers are on the 192.168.77.0 subnet.
any idea's on how i should set this up? i didn't really want to allow traffic to my internal DNS servers to guests. I was hoping to use public DNS servers which is why i was using 4.2.2.1 and 4.2.2.2.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2008 10:06 AM
тАО08-06-2008 10:06 AM
Re: Guest VLAN, IDM, DNS
How about we just have permit statements that only allow guest access to 192.168.77.0 for DNS?
I believe DNS uses TCP and UDP port 53, so in our ACL, I think we could just have permit statements allowing TCP/UDP from your guest network to 192.168.77.0/24 eq 53. Then we would follow this statement with a deny for anything else from the guest network to the 192.168.77.0/24 network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2008 10:41 AM
тАО08-06-2008 10:41 AM
Re: Guest VLAN, IDM, DNS
show access-list radius d21
Radius-configured Port-based ACL for
Port D21, Client -- 0017A4D76B45
permit in udp from any to 0.0.0.0/0 53 cnt
Packet Hit Counter : 0
permit in tcp from any to 0.0.0.0/0 53 cnt
Packet Hit Counter : 0
deny in ip from any to 0.0.0.0/0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2008 11:19 AM
тАО08-06-2008 11:19 AM
Re: Guest VLAN, IDM, DNS
show access-list radius d21
Radius-configured Port-based ACL for
Port D21, Client -- 0017A4D76B45
permit in udp from any to 0.0.0.0/0 53
permit in tcp from any to 0.0.0.0/0 53
deny in ip from any to 192.168.77.0/24
deny in ip from any to 192.168.73.0/24
deny in ip from any to 192.168.74.0/24
deny in ip from any to 192.168.75.0/24
deny in ip from any to 192.168.76.0/24
permit in ip from any to 0.0.0.0/0
any security issues with this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-06-2008 11:37 AM
тАО08-06-2008 11:37 AM
SolutionGlad to see it looks like you have things working now. I was about to respond to your last message that the deny any any was probably restricting too much (such as DHCP no longer getting through). However, with the more specific deny statements specifying particular subnets with the permit any any at the end, works a little better.
The only security issue that could arise would be if there is a subnet present that you have not defined in your deny statements. Otherwise, I think it would be ok.
My only other thought would be looking at the ACL a little differently. If the purpose of the ACL is to limit guest users to only have Internet access (and also DNS and DHCP for functionality), then we could have an access list that looked something like this (assuming 192.168.78.0/24 is guest network):
permit in udp from 192.168.78.0/24 to any 53
permit in tcp from 192.168.78.0/24 to any 53
permit in tcp from 192.168.78.0/24 to any 80 (http)
permit in udp from 192.168.78.0/24 to any 68 (DHCP client I believe)
deny in ip from 192.168.78.0/24 to any (this should block guest network from accessing anything else other the DNS, HTTP, and DHCP).
permit in ip from any to any
This is just a little different way of setting up the ACL, not necessarily any better than what you have. Other folks may have input on how they would like to set it up as well...
Regards,
Jarret